CobiT definition:
To provide consistent, effective and secure technological solutions enterprisewide, establish a technology forum to provide
technology guidelines, advice on infrastructure products and guidance on the selection of technology, and measure compliance with
these standards and guidelines. This forum should direct technology standards and practices based on their business relevance, risks
and compliance with external requirements.
Bill says,
This control objective has a number of different but important elements – in fact if I had been drafting this governance framework I may well have separated what I see to be two major points being addressed here.
The guidance is to establish a forum for the purpose of establishing technology guidelines and providing advice, but then it goes on to say that this forum would also measure compliance with the standards and guidelines. I don’t mind this forum providing both advice and measuring compliance, but it just seems like the kind of thing that needs to be separate.
In any case, I’ll address it together. So, what is the number one question about this control objective? It would have to be, “what is a forum?” The next control objective talks about establishing a board, so then is a forum different than a board? One could imagine that a forum is simply an informal discussion group but then that doesn’t align very well with the idea that the forum would also be measuring compliance – at least it doesn’t for me.
The advice clearly states that the forum should direct technology standards but is that different than setting them? If in fact the technology standards forum is different than the architecture board, then it would seem perhaps that this approach is too “big company” for a lot of us. I for one can’t see having different groups advise and set standards let alone measure compliance. We don’t have enough people!
Here is what I think is being said here and the difference between this and the next control objective, which is to form an IT Architecture Board. While the latter is meant to be focused on big picture, general architecture design decisions (should we go to a meshed MPLS network, for example) the former is designed to address all levels of technology, including end user devices. Will we be supporting iPhones? What model laptops are we going with this quarter? And so on. In my case we do all of these discussions at the IT Architecture Board level because I don’t have enough staff to have multiple groups.
Remember, this is one man’s opinion. What’s yours? What do you think a forum is?
The fourth step in Determining the Technological Direction is Technology Standards.
Related posts:
- PO3.5 IT Architecture Board CobiT definition: Establish an IT architecture board to provide architecture guidelines and advice on their application, and to verify compliance....
- AI3 Acquire and Maintain Technology Infrastructure CobiT definition: Organisations have processes for the acquisition, implementation and upgrade of the technology infrastructure. This requires a planned approach...
- PO4.1 IT Process Framework CobiT definition: Define an IT process framework to execute the IT strategic plan. This framework should include an IT process...
- ME4 Provide IT Governance CobiT definition: Establishing an effective governance framework includes defining organisational structures, processes, leadership, roles and responsibilities to ensure that enterprise...
- PO4 Define the IT Processes, Organisation and Relationships CobiT definition: An IT organisation is defined by considering requirements for staff, skills, functions, accountability, authority, roles and responsibilities, and...
{ 1 comment… read it below or add one }
Bill, I would agree with your assessment, and would also agree that this CO is mixing (what I would call) the mission of an Enterprise Architecture group with that of an IT Governance group. In my trials to establish IT governance currently, a CoE was created to address governance/decision issues, and EA provides the technology and architectural guidance. I do utilize EA’s and conduits of enforcement related to technology governance.